This project has moved. For the latest updates, please go here.

TrueCrypt 7.1a Audit Results

Topics: Technical Issues
Sep 18, 2015 at 3:57 PM
https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf

Which of the following is still an issue with VeraCrypt?
  1. CryptAcquireContext may silently fail in unusual scenarios
  2. AES implementation susceptible to cache-timing attacks
  3. Keyfile mixing is not cryptographically sound
  4. Unauthenticated ciphertext in volume headers
A cursory glance at https://veracrypt.codeplex.com/SourceControl/latest#src/Common/Keyfiles.c tells me that #3 still affects VeraCrypt.

Which issues are still relevant and is anyone assigned to fixing them?
Coordinator
Sep 19, 2015 at 2:24 PM
Edited Sep 19, 2015 at 7:05 PM
The CryptAcquireContext issue was fixed in 1.0f-2 that was released 5 months ago on April 5th 2015. This is documented in the release notes: https://veracrypt.codeplex.com/wikipage?title=Release%20Notes
For the other three point you can read my comments on the audit that I published on April 3rd 2015: https://veracrypt.codeplex.com/discussions/616471#post1399210

You'll find their an objective evaluation of the impact of the remaining issues. Please feel free to comment on the evaluation above.